Collection Agency's Server Stolen; Had 700,000 Accounts On It

By cwaltersApril 19, 2008

Indiana broke its own record for computer security breaches last month, when a server containing personal data on 700,000 people was stolen from the offices of Central Collection Bureau, a debt collection agency. The stolen data included names, personal billing information, last known addresses, and social security numbers of people who hold delinquent accounts with a variety of companies, including utilities and hospitals. The company said the server was behind “three locked doors” and “was protected by two passwords, but was not encrypted.”

A lot of the data is old and potentially of little value—one hospital says the accounts it passed to the agency were all at least three years old or older. On the other hand, a gas company said that because it only had last known addresses on the accounts it handed over, it actually had no way of contacting the victims to alert them to the theft.

The agency president told the IndyStar, “We’re obviously heartsick about this. We’ve been in business since 1972, and nothing like this has ever happened before.” Responses from companies who had passed their customers over to the agency, however, varied from taking it seriously to regretting any inconvenience. We suspect they’re not feeling too much concern for their non-paying clients.

Comments

Edit Your Comment

Oh, wait – they had it behind three locked doors and two passwords. And on a Windows NT4 SP1 server. So, you know.

We need personal privacy theft penalties. The existing criminal statutes do not adequately cover this kind of stuff – where our valuable “property” is trusted in the hands of a second party, and which changes hands without our knowledge.

Wait, you stole a server full of names and info of folks who are in collections? What the hell are you going to do with it, be declined for credit cards in others names? (Yes, I know the risks, just trying to make a joke.)

How the hell do you not have cameras on the room that has your servers in it? We have cameras all over our server room and you have to use a key and a numerical keypad to get into the room. Not only that, servers aren’t exactly light objects.

Alright. Couldn’t have happened to a nicer bunch. Debt collectors really are the bottom rung of society, right below tow truck drivers, but above pedophiles. Not because of what they do -people should pay their debts- but because of the sleazy way they go about it.

I love the lame attempt to put a happy face on it ,’A lot of the data is old and potentially of little value’. Right. Let me know when my social security number expires so that I can get a new one.

I think its time that companies (voluntarily if not mandatory) follows similiar guidelines that the goverment uses for handling confidential and classified information. Of course I realize that not everyone is intelligent or has has enough common sense to understand and use those types of procedures.

And as much as I don’t want Congress to get involved in identity theft I do think that companies that don’t secure this info should be made to pay multi million dollar penalites. (Maybe THAT would force them to institute severe security measures).

ok, a fucking SERVER was stolen?
i understand if they don’t care about the data on the server (it should be backed up elsewhere) but how do oyu allow someone access to your server room, then let them walk out with one of your servers??

Side note: I’m from Indiana. This actually sucks.. They probably have my info.. If they steal my ID, that just means theres more of me to go around :D

Everyone bashing us people in collections can kiss my arse. I had a bad accident (dominant hand was Bush’d up baaad) and I was out of work, so I’ve got over 10k in hospital bills, plus a cellphone bill that I couldn’t pay at the time. That was 2 years ago now, and I’m working on paying those bills off, but I was told by an attorny they’ll still have my information on file afterwards for so long… Thats so awesome…

I do like the statement that the “data is old and of little value.” If it’s of little value why was the collection agency keeping it. It’s obviously of value to them and probably many others – just for the SSNs themselves.

@gqcarrick: There are lots of places that have sensitive information that isn’t encrypted on a SERVER. For instance, SSN is often a table key for a person, and it’s often clear-text in the database. And a “server” doesn’t have to be that big. I have a Terabyte server that’s the size of a desktop. Emphasis is generally to encrypt off-site or information physically leaving the data center.

It seems it was reasonably physically secured, which for a server is generally sufficient. I agree with AstroPig7, for someone even to break through three doors (and know a rich target is there) to get at the thing, this smells to me of an inside job.

@loueloui: “Couldn’t happen to a nicer bunch…” – The problem I have with your statement is the actual victims are the people who’s information is now available to criminals. The collection company will have the hardware replaced by insurance and data restored from backup. Inconvenience for a few days. The people who’s information was on the server will have to watch their credit reports for years to come.

What I find infuriating about this is that some of these credit agencies collect on bills that have already been settled. How many times on the Consumerist do we see stories of people being harassed by collection agencies for debts that no longer exist? When I bought my house a few years back, the mortgage broker was telling us that with regard to medical billing, unless the dollar amount on the credit record is through the roof (thousands, etc) they ignore it – it’s that well known that the credit agencies aren’t always on the up and up.

So there are some people in that database who probably aren’t deadbeats, and never have been.

@lesbiansayswhat: I change my Social Security number weekly, that way I never have these stupid problems.

Oh yeah… I don’t do that because I can’t. The damn thing isn’t supposed to be used for anything except as a retirement account number. Collection bureaus, schools, States (DL number), Health Insurance companies, EVEN CELL PHONE COMPANIES etc. all use it as a damn mandatory “identifier” that you can’t change. If mine’s ever breached, I’m listing Sprint, Transunion, Experion, state of Illinois, and others as likely suspects in the theft. Biometric data, if they ever get THAT scam passed, will only be worse – whaddya going to do when THAT data is compromised – change your fingerprints or irises?

I’ve been in many small offices (5-30 employees) where the server is sitting under someone’s desk; in others it may be in a closet but it’s generally not locked. Most of these are in one industry, but it doesn’t seem to be the line of business that matters, it’s the size of the business.

I strongly suspect that this company is in that small-business category, and until companies get a bit bigger they generally don’t have the money or space for a dedicated server closet – particularly if they only have one or two servers. In a lot of cases, the closest thing to real security they have is that they’re running dedicated systems on SCO Unix and nothing else out there likes working with SCO’s funky partitioning system.

No encryption is a error of gross negligence. They should have to pay for credit monitoring for everyone on the server. I’m willing to bet they’ll underrepresent the number by the amount of people they’re trying to collect under $10 from, so now might be a good time for a dispute if you’ve got a record with these people.